The subject matter discussed in the background section should not be assumed to be prior art merely as a result of its mention in the background section. Similarly, a problem mentioned in the background section or associated with the subject matter of the background section should not be assumed to have been previously recognized in the prior art. The subject matter in the background section merely represents different approaches, which in and of themselves may also be inventions.
The advent of on-demand service environments has facilitated the development and deployment of third party software and applications for common software platforms, such as enterprise application software platforms. In an on-demand services environment, an enterprise platform for a large number of users provides a number of applications for a variety of uses, such as customer service, order processing, communications, and so on. An enterprise software platform is required to support a number of different entities, such as platform providers, hardware vendors, application developers, end users, consultants, IT (information technology) professionals, and so on.
A multi-tenant architecture allows users or customer organizations (i.e., tenants) to share database resources that are organized as one logical database on one or more central server computers, as opposed to maintaining their own locally hosted databases and application programs. The centralized database tables themselves are typically shared and logical structures are employed to ensure differentiation and security among the different tenants. Likewise, the shared application programs can be segregated through access control mechanisms that restrict access and usage to only authorized users or subscribers. A large enterprise platform, such as the salesforce.com CRM platform may include thousands of developers and platform partners to support hundreds of thousands of end users. The issues of application deployment and maintenance can therefore be quite extensive with regard to customizing, integrating and extending the platform applications to create custom solutions for the users.
In a typical enterprise application network environment, database and application resources for a multitude of different end users may be supported by a central enterprise platform. The end users may be individuals or organizations that use the resources and store data on the enterprise platform server computers. Each end user accesses his or her resources by logging in using established login credentials.
A large-scale, multi-tenant database system involving many different users, organizations, and classes of users requires the robust implementation of security mechanisms to ensure that proper segregation and protection of data is maintained. This creates a number of different security domains within the system, and the corresponding access requirements for certain classes of users, such as administrators, tenants, end-users, support representatives, and the like. Under present systems, security and access protocols are typically implemented through the exchange of credentials between the various users (tenants, end users, vendors, and so on) and the platform administrators. Depending on the relationship between the users and the platform, and/or the amount of support or remedial work required, the exchange/setting up of credentials may impose a relatively high degree of administrative overhead. For example, exchanging credentials may require the establishment of new accounts for each service instance, or it may involve the transmission of potentially sensitive information over public communication networks and expose vulnerabilities with respect to spoofing and other hacking methods. Certain temporary access methods, such as screen-sharing techniques in which a user views and or assumes control of the end user computer screen through a console portal, similarly requires a high degree of interaction between the users and also exposes certain security vulnerabilities in the system. Thus, present methods of provisioning access in enterprise platform systems that rely on credential exchange or screen sharing present certain disadvantages with respect to processing overhead and system security.
Accordingly, it is desirable to provide techniques enabling efficient authentication and authorization of users for access to data in a multi-tenant database system.